Hongkun Zeng

**Name of the Vulnerable Software and Affected Versions** phpMyAdmin versions prior to 4.8.5 **Description** An issue allows an attacker to read any file on the server that the web server's user can access when the AllowArbitraryServer configuration setting is set to true. This is related to the mysql.allow local infile PHP configuration and the inadvertent ignoring of `options(MYSQLI OPT LOCAL INFILE)` calls. **Recommendations** For versions prior to 4.8.5, update to version 4.8.5 or later to resolve the issue. As a temporary workaround, consider setting the AllowArbitraryServer configuration setting to false to minimize the risk of exploitation. Additionally, restrict the use of the `mysql.allow local infile` PHP configuration to prevent unauthorized file access.

**Name of the Vulnerable Software and Affected Versions** OXID eShop Enterprise Edition versions prior to 6.1.0 OXID eShop Professional Edition versions prior to 6.1.0 OXID eShop Community Edition versions prior to 6.1.0 **Description** An issue allows an attacker to gain access to the admin panel or a customer account when using the password reset function. This can be achieved by owning a domain name similar to the one the victim uses for their e-mail accounts. **Recommendations** For OXID eShop Enterprise Edition versions prior to 6.1.0, update to version 6.1.0 or later. For OXID eShop Professional Edition versions prior to 6.1.0, update to version 6.1.0 or later. For OXID eShop Community Edition versions prior to 6.1.0, update to version 6.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** CMS Made Simple versions prior to 2.1.6 **Description** A cross-site request forgery issue allows remote attackers to hijack the authentication of administrators for requests that create accounts via an admin/adduser.php request. **Recommendations** For versions prior to 2.1.6, update to version 2.1.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin/adduser.php endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Dotclear versions prior to 2.10.3 **Description** The issue allows remote attackers to modify the password reset address link by manipulating the HTTP Host header when it is not part of the web server routing process. **Recommendations** For versions prior to 2.10.3, update to version 2.10.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Dotclear versions prior to 2.10.3 **Description** The issue allows remote authenticated users with permissions to manage media items to execute arbitrary code by uploading a ZIP file containing a file with a crafted extension. This can be achieved by uploading a ZIP file with a file that has an extension such as `.php.txt` or `.php%20`. **Recommendations** For versions prior to 2.10.3, update to version 2.10.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the `fileUnzip->unzip` method or limiting the types of files that can be uploaded to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** DokuWiki versions 2016-06-26a and older **Description** The issue allows users to scan ports of internal networks via SSRF, affecting private networks such as 10.0.0.1/8, 172.16.0.0/12, and 192.168.0.0/16, when media file fetching is enabled. This is due to the `sendRequest` method in the `HTTPClient` Class in the file `/inc/HTTPClient.php` having no access restrictions. **Recommendations** For DokuWiki versions 2016-06-26a and older, consider disabling media file fetching to prevent SSRF attacks until a patch is available. Restrict access to the `sendRequest` method in the `HTTPClient` Class to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** DokuWiki versions 2016-06-26a and older **Description** The issue allows a remote unauthenticated attacker to change the hostname in the password-reset URL via the HTTP Host header, potentially leading to phishing attacks. This can be triggered if the Host header is not part of the web server routing process, such as when multiple domains are served by the same web server. **Recommendations** For DokuWiki versions 2016-06-26a and older, consider updating to a version that uses the baseurl setting instead of `$ SERVER['HTTP HOST']` for the password-reset URL. As a temporary workaround, ensure that the Host header is part of the web server routing process to prevent exploitation. Restrict access to the password-reset functionality until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.